Thumbnails are stored in thumbcache_NN.db files in different formats (e.g. BMP) and can be extracted using file carving. There are several tools that can work with Vista Thumbcache: dmThumbs, Thumbs.db Viewer, and FTK. Unfortunately, there is no information in the thumbcache that can easily link thumbnails with original files in all cases. One of the ways to link thumbnails with original files is to use Windows Indexer (Windows.edb) database.

Thumbcache Format

In general, every thumbnail in cache is associated with two 64-bit variables. First variable (sometimes called Unique ID, Secret, File ID) associates data in file thumbcache_idx.db with thumbnail data in thumbcache_NN.db files; the purpose of this variable is unclear. Another variable is Thumbnail Cache ID (sometimes called Thumbnail filename (in FTK), File Ref) is used to link thumbnails with original files. Actually, Thumbnail Cache ID is represented as Unicode string of HEX encoding.

Linking thumbnails with original files

Using Windows Indexer

One way to link thumbnails with original files is to use Windows Indexer database, which stores association between indexed files and ThumbnailCacheIDs with some metadata.

Using Windows PowerShell

Windows PowerShell provides easy way to access this database using SQL queries. Note that most forensic tools (like FTK) display ThumbnailCacheID (FTK calls it Thumbnail filename) in hexademical, but Windows PowerShell returns the result in decimal.

Using HEX editor

You can also search for ThumbnailCacheID value in Windows.edb file using your favorite HEX editor.